CN101313511B - Method, system and apparatus implementing security of multi-party communication - Google Patents
Method, system and apparatus implementing security of multi-party communication Download PDFInfo
- Publication number
- CN101313511B CN101313511B CN2007800001854A CN200780000185A CN101313511B CN 101313511 B CN101313511 B CN 101313511B CN 2007800001854 A CN2007800001854 A CN 2007800001854A CN 200780000185 A CN200780000185 A CN 200780000185A CN 101313511 B CN101313511 B CN 101313511B
- Authority
- CN
- China
- Prior art keywords
- group
- session
- layer security
- key management
- protocol
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 230000006854 communication Effects 0.000 title claims abstract description 54
- 238000004891 communication Methods 0.000 title claims abstract description 50
- 238000000034 method Methods 0.000 title claims abstract description 24
- 230000005540 biological transmission Effects 0.000 claims description 45
- 230000008569 process Effects 0.000 claims description 4
- 238000001514 detection method Methods 0.000 claims description 3
- 230000006870 function Effects 0.000 description 14
- 238000005516 engineering process Methods 0.000 description 5
- 238000013461 design Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 101000997798 Pseudomonas alcaligenes Gentisate 1,2 dioxygenase 1 Proteins 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 230000035800 maturation Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/065—Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
- H04L9/0833—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/166—Implementing security features at a particular protocol layer at the transport layer
Abstract
A method for achieving multi-party communication security comprises: the group control key management server authenticates the identity of group member devices by running the Transport Layer Security protocol or Datagram Transport Layer Security, and negotiates and establishes the initial session; the group control key management server and group member devices distribute the group session and the key update session to the group member devices by running the group key management sub protocol; when the group control key management server detects the key update event, the group control key management server and the group member devices processthe key update by running the group key management sub protocol. The corresponding multi-party communication security system and devices are provided.; The Transport Layer Security protocol or Datagram Transport Layer Security protocol is improved to solve the disadvantages of the current multicast security protocol suite solution, which are bad transplantablity and low arrangablity, and avoid the disadvantages that high cost and high risk with the redeveloping the new technical scheme.
Description
The application requires to submit on 08 15th, 2006 that Patent Office of the People's Republic of China, application number are 200610037058.9, denomination of invention is the priority of the Chinese patent application of " a kind of method, system and equipment of realizing multi-party communication security ", and its full content is by reference in conjunction with in this application.
Technical field
The present invention relates to communication information technical field, relate in particular to the Network Communicate Security technology, more particularly, the present invention relates to a kind of method, equipment and system that realizes multi-party communication security.
Background technology
Along with the fast development of communication and information technology, people no longer are confined to point-to-point communication to the requirement of communication, and have proposed the requirement of multi-party communication.Multi-party communication is also referred to as group communication, refers to have a kind of communication scenes that plural member participates in, and the scene of having only two sides is a special case of multi-party communication.Common multi-party communication scene comprises remote multi-party meeting, Internet protocol (IP, Internet Protocol) phone, Internet Protocol Television, network game on line, grid computing etc.
The demand for security of multi-party communication comprises: authorize and authentication, maintain secrecy, the group membership authenticates, source authentication, anonymity, integrality and anti-the playback.Message encryption to multi-party communication is the method that realizes the communication security confidentiality.The key that encryption and decryption are used has only the group member just to know, can guarantee that so encrypted message has only the group membership to understand.The group membership authenticates and also can utilize this key to realize, because only have the multicast message that the group membership of key could correctly generate encryption.The key of utilizing shared in many ways key to solve safety problem is the generation and the distribution of key.This generation and distribution must be exclusive, and promptly non-group membership can't obtain key.Source authentication, integrality and anonymous service also to utilize usually both sides or in many ways between the exclusive of information share.In multi-party communication, how to realize that exclusive the sharing of key is the group key management key technology.How group key management research is group member's generation, issue and update group key, and group key is all group member's cipher key shared, is used for multicast message carried out safety operations such as encryption and decryption.
At above specification requirement, multicast security (MSEC, Multicast Security) working group has proposed a plurality of agreements multi-party communication security is provided, and MSEC design of protocol thinking is that group key management and data security are separated, and emphasis solves the problem of group key management aspect.MSEC working group has formulated a plurality of group key management agreements, comprise group Security Association IKMP (GSAKMP, Group Secure Association Key Management Protocol), the territory group is explained agreement (GDOI, Group Domain of Interpretation), multimedia internet key management agreement (MIKEY, Multimedia Internet Keying) etc., the general character of these agreements is to bias toward the group key management scheme that standard is provided for the data security agreement based on the multicast mode.On working method, the MSEC protocol suite is suitable for being operated in the environment of supporting the multicast of IP layer, has just directly used the group key management algorithm that needs the multicast service such as GSAKMP and GODI agreement.Though this algorithm also can move under mode of unicast, has a strong impact on operational efficiency.Aspect the data security agreement of being supported, though the many nominals of MSEC protocol suite be extendible as: encapsulated security protocol (ESP, Encapsulating Security Protocol), authentication header (AH, Authentication Header) and actual time safety host-host protocol (SRTP, Secure Real-time Transport Protocol), preceding two kinds of agreements all are operated in the IP layer, and SRTP is operated in application layer, is used for the multi-medium data real-time Transmission.
The inventor finds that in research process the MSEC protocol suite is difficult to provide application programming calling interface (API, the Application Programming Interface) supply of standard to call its function with program or agreement, and portable low, deployable is poor.
With reference to figure 1, MSEC protocol suite work schematic diagram.MSEC protocol element 101 is operated on the User Datagram Protoco (UDP) unit 102 of transport layer, and emphasis is to solve key management, and data security is to be operated in ESP on the IP layer 104 or the SRTP on AH unit 103 and the application layer.The MSEC protocol suite adopts the separately mode of design of group key management agreement and data security agreement.Each group key management agreement can only be with the form isolated operation of finger daemon or application program, such as GDOI and GSAKMP, can not provide the API Calls interface supply of standard group key management to be controlled with program, therefore, the portability of application programs based on the group key management protocol development is very low.
The MIKEY agreement then needs to be embedded in the application program of calling its service to be moved.In other words, if application program need be called the function of MIKEY agreement, just need self to finish the reciprocal process of MIKEY agreement.This mode has increased the degree of coupling of MIKEY agreement and application program, and knowledge is realized in the inside that makes each need use the programming personnel of MIKEY protocol function all to need to understand the MIKEY agreement, has increased the realization difficulty of application program.
From secure data area, because main at present ESP, AH and the SRTP of supporting of MSEC protocol suite, preceding two kinds of agreements all realize at the IP layer, need run in the kernel of operating system, this implementation is difficult to provide the data security API Calls interface of standard equally, makes program portability relatively poor.In addition, different operating system realizes that the function of ESP and AH is not quite similar, and what have may not realize such function at all, and this situation causes deployable relatively poor.And SRTP is the agreement that is exclusively used in the real-time multimedia data transmission, and non-multimedia application can't be used its function.
In addition, even the MSEC protocol suite can be supported new data security agreement by expansion, but because lack at present a kind of general, that application program can directly be called, data security agreement of supporting multi-party communication, the service that application program still can not use the MSEC protocol suite to provide.
A kind of intercommunication security solution based on Transport Layer Security (TLS, Transport Layer Security) or datagram transmission layer safety (DTLS, Datagram Transport Layer Security) technology also is provided in the prior art.
TLS and DTLS agreement are moved based on the client/server mode, and safety functions such as authentication, key agreement, key updating, encryption, integrity protection, anti-playback can be provided.The characteristics of TLS and DTLS are to operate in transport layer, API supply routine call and its function of control of standard can be provided, and move in the program process space, have good deployable.But Transport Layer Security or datagram transmission layer can only provide security service for two side communication safely, to three parts and above communication scenes, can only realize by the mode of setting up a plurality of sessions (Session), but this mode is loaded down with trivial details, complicated, efficient is low, be difficult for implementation.
Summary of the invention
The embodiment of the invention provides a kind of method, system and equipment of realizing multi-party communication security, by expansion TLS or DTLS agreement, to inherit former TLS and the DTLS portability is good, deployable is high advantage.
The embodiment of the invention provides a kind of method that realizes multi-party communication security, comprising:
Group control key management server carries out authentication to group member's equipment, and creates initial session with the group member's equipment negotiation by authentication; It is wherein, described that group member's equipment is carried out authentication is to realize by operation Transport Layer Security or datagram transmission layer security protocol; Wherein, described Transport Layer Security or datagram transmission layer security protocol are to have added group key management sub-protocol, group session and group key management session in original Transport Layer Security or datagram transmission layer security protocol;
Described group of control key management server passes through the group key management sub-protocol to described distribution group session of group member's equipment and key updating session by authentication;
When described group of control key management server detects key updating event, this group control key management server and described by the authentication group member's equipment carry out key updating based on the group key management sub-protocol.
The embodiment of the invention provides a kind of multi-party communication security system, and this system comprises at least one group control key management server and be attached thereto at least two group member's equipment that connect that described group of control key management server comprises:
The first Transport Layer Security unit is used to move Transport Layer Security or datagram transmission layer security protocol;
The first group key management sub-protocol unit is connected with the described first Transport Layer Security unit, and operation is based on the group key management sub-protocol of Transport Layer Security or datagram transmission layer security protocol in described group of control key management server;
The session Dispatching Unit, under based on the control of the first group key management sub-protocol unit of Transport Layer Security or datagram transmission layer security protocol framework to distribution group session of group member's equipment and key updating session;
Key updating units, the key of update group session and key updating session automatically under the control of the described first group key management sub-protocol unit based on Transport Layer Security or datagram transmission layer security protocol framework;
Wherein, described Transport Layer Security or datagram transmission layer security protocol are to have added group key management sub-protocol, group session and group key management session in original Transport Layer Security or datagram transmission layer security protocol.
The embodiment of the invention also provides a kind of group of control key management server, is used for the group control and the group key management of multi-party communication security, and this group control key management server comprises:
The first Transport Layer Security unit is used to move Transport Layer Security or datagram transmission layer security protocol based on Transport Layer Security or datagram transmission layer security protocol;
The first group key management sub-protocol unit is connected with the described first Transport Layer Security unit, operation group key management sub-protocol in described group of control key management server;
The session Dispatching Unit, under the control of the described first group key management sub-protocol unit based on Transport Layer Security or datagram transmission layer security protocol framework to distribution group session of group member's equipment and key updating session;
Key updating units, the key of automatic update group session and key updating session under the control of the first group key management sub-protocol unit;
Wherein, described Transport Layer Security or datagram transmission layer security protocol are to have added group key management sub-protocol, group session and group key management session in original Transport Layer Security or datagram transmission layer security protocol.
The embodiment of the invention also provides a kind of group member's equipment of realizing secure communication in many ways, and this group member's equipment comprises:
The second Transport Layer Security unit is used to move Transport Layer Security or datagram transmission layer security protocol;
The second group key management sub-protocol unit is connected with the described second Transport Layer Security unit, and operation is based on the group key management sub-protocol of Transport Layer Security or datagram transmission layer security protocol in described group member's equipment;
The session receiving element receives the group session and the key updating session of described group of control key management server distribution under based on the control of the second group key management sub-protocol unit of Transport Layer Security or datagram transmission layer security protocol;
Wherein, described Transport Layer Security or datagram transmission layer security protocol are to have added group key management sub-protocol, group session and group key management session in original Transport Layer Security or datagram transmission layer security protocol.
In the technical scheme that the embodiment of the invention provides, in original TLS or DTLS agreement, added group key management sub-protocol, group session and group key management session, former agreement has been improved.Based on the security standard protocols TLS of maturation and DTLS structure multi-party communication security system, can multiplexing in a large number existing function and facility, on original part facility, do improvement, realize multi-party communication security at an easy rate.
In the technical scheme of the embodiment of the invention, in group control key management server, group key management sub-protocol unit and session Dispatching Unit have been increased, in group member's equipment, also increase group key management sub-protocol unit and session receiving element, be used for controlling the distribution and the key updating of group session; Group session is realized the multi-party communication data security, comprises encryption, integrity protection, anti-playback, source authentication, group authentication.Therefore, the embodiment of the invention designs group key management and data security unification, and moves in application space, can carry out alternately with application program easily, can provide api interface supply routine call and its function of control of standard, thereby the technical program is portable good.
Description of drawings
Fig. 1 is a multicast protocol family work schematic diagram in the prior art;
Fig. 2 is the system construction drawing of the multi-party communication security system in the embodiment of the invention;
Fig. 3 is the group control key management server structured flowchart in the embodiment of the invention;
Fig. 4 is the structured flowchart of the group member's equipment in the embodiment of the invention;
Fig. 5 is a flow chart of realizing the method for multi-party communication security in the embodiment of the invention;
Fig. 5 a is the flow chart of key updating in the method for realization multi-party communication security of the embodiment of the invention;
Fig. 6 is TLS or the DTLS protocol model after the expansion in the embodiment of the invention.
Embodiment
Set forth technical scheme of the present invention below in conjunction with accompanying drawing.
With reference to figure 2, be depicted as the system architecture diagram of a kind of multi-party communication security system in the embodiment of the invention.This multi-party communication security system comprises a group control key management server (GCKS, Group Control and Keying Server) 205 and be attached thereto four group member's equipment that connect, be respectively first group member 201, second group member 202, the 3rd group member 203 and the 4th group member 204.Group control key management server 205 is used for being responsible at multi-party communication security group member's functions such as mandate, authentication and key management.Wherein, GCKS205 is served as by special equipment usually, also can be served as by common group member's equipment.Being appreciated that group member's equipment is not limited to four, can be three or more than four.
With reference to figure 3, be depicted as the structured flowchart of a kind of group of control key management server in the embodiment of the invention, group control key management server 205 comprises:
The first Transport Layer Security unit 301 is used for moving TLS or DTLS agreement.
The first group key management sub-protocol unit 303 is connected with the first Transport Layer Security unit 301, session Dispatching Unit 302 respectively, controls the distribution and the key updating of described group session or key updating session by operation group key management sub-protocol;
Key updating event detecting unit 304 is connected with the first group key management sub-protocol unit 303, is used for detecting the multi-party communication process and whether has key updating event;
The automatic updating block 305 of key is connected with the first group key management sub-protocol unit 303, is used for the key of automatic update group session and key updating session.
With reference to figure 4, be depicted as the structured flowchart of group member's equipment of the multi-party communication security system in the embodiment of the invention.Group member's equipment comprises:
The second Transport Layer Security unit 401 is used to move TLS or DTLS agreement and GCKS205 and carries out authentication and initial session negotiation.
The second group key management sub-protocol unit 403 is connected with the second Transport Layer Security unit 401, session receiving element 402, is used to control the reception of described group session or key updating session;
With reference to figure 5, be depicted as a kind of method flow diagram of realizing multi-party communication security in the embodiment of the invention.Group control key management server 205 is created Access Control List (ACL), group session, key updating session by operation TLS or DTLS agreement before multi-party communication begins, and described method comprises:
In step 501, GCKS205 and group member's equipment carry out authentication by operation TLS or DTLS agreement, consult to create initial session;
GCKS205 and group member's equipment move TLS or DTLS agreement respectively simultaneously, and carry out authentication and initiation session (initial session) negotiation by operation handshake (shaking hands) sub-protocol.
In step 502, GCKS205 and group member's equipment are distributed described group session and key updating session by operation group key management sub-protocol (rekeying) to described group member's equipment;
GCKS205 and group member's equipment carry out key distribution respectively by operation rekeying sub-protocol;
Under the protection of initiation session; download described group session (group session) and rekeying session (key updating session) by the mode of initiatively downloading from GCKS205, to receive the group session and the key updating session of GCKS205 distribution.
With reference to figure 5a, the flow chart of key updating in a kind of method that realizes multi-party communication security that is depicted as that the embodiment of the invention provides.
Step S5031, GCKS205 detection key update event.Wherein, key updating event comprises that key is revealed and/or key expires and/or the group member leaves and/or new group member adds, and is not limited to above-mentioned key updating event.
Step S5032, GCKS205 judges whether that according to described key updating event needs carry out key updating, key updating if desired then enters step S5033, otherwise, forward step S5031 to.
Leave when detecting the 4th group member 204, or reveal or key expires or new group member adds etc. when key, then GCKS205 makes the decision of key updating according to this key updating event.
Step S5033, GCKS205 upgrade the key of rekeying session and group session automatically.
Step S5034, GCKS205 and all group member's equipment are by operation rekeying sub-protocol, the described session after distribution is upgraded.When key updating is initiated by GCKS205, under the protection of rekeying session, GCKS205 distributes described session in the mode that pushes; When key updating is initiated by one of them group member's equipment, under the protection of rekeying session, all group members go up group session and key updating session behind the down loading updating in the mode initiatively downloaded from GCKS205.
In communication process, when GCKS205 detected various event of failure, under the protection of initial session, GCKS205 and all group member's equipment were by the mutual mutual state information of operation alarm sub-protocol.
According to a kind of multi-party communication security method, system and the equipment that the embodiment of the invention provides, be improved in the intercommunication security solution expansion of original TLS or DTLS agreement.With reference to figure 6, illustrate the protocol model after the present invention improves TLS or DTLS.In the technical scheme that the embodiment of the invention provides, in the handshake elements 601 of former TLS or DTLS agreement, increase group key management sub-protocol module 602, in record protocol unit 603, increased group session module 604 and key updating conversation module 605.TLS and DTLS are full-fledged security standard protocols, and this protocol function is abundant, and practical application is many, and fail safe is through test.Based on they structure multi-party communication security systems, can multiplexing in a large number existing function and facility, on original part facility, do improvement, realize multi-party communication security at an easy rate.
It will be appreciated by those skilled in the art that, all or part of module in the foregoing description or each step are to instruct related hardware to realize by program, described program can be stored in the computer read/write memory medium, and described storage medium is as ROM/RAM, disk, laser disc etc.Perhaps they are made into each integrated circuit modules respectively, perhaps a plurality of modules in them or step are made into the single integrated circuit module and realize.Like this, the present invention is not restricted to any specific hardware and software combination.
In sum, in the technical scheme that the embodiment of the invention provides, increase group key management sub-protocol unit and session Dispatching Unit in the group control key management server, in group member's equipment, increased distribution and key updating that group key management sub-protocol unit and session receiving element are used for controlling group session; Group session is realized the multi-party communication data security, comprises encryption, integrity protection, anti-playback, source authentication, group authentication.Therefore, the present invention is the unified design of group key management and data security, and moves in application space, can carry out mutual with application program easily and, can provide api interface supply routine call and its function of control of standard, thereby the technical program is portable good.
Therefore, it is poor that the technical scheme that the embodiment of the invention provides has solved the portability of existing MSEC protocol suite solution well, the shortcoming that deployable is low, and avoid developing the new input height that solution had, the shortcoming that has a big risk.
Above disclosed only is one exemplary embodiment of the present invention, can not limit the present invention's interest field with this, and the equivalent variations of being done under the prerequisite that does not break away from essence of the present invention still belongs to the scope that the present invention is contained.
Claims (14)
1. a method that realizes multi-party communication security is characterized in that, this method comprises:
Group control key management server carries out authentication to group member's equipment, and creates initial session with the group member's equipment negotiation by authentication; It is wherein, described that group member's equipment is carried out authentication is to realize by operation Transport Layer Security or datagram transmission layer security protocol; Wherein, described Transport Layer Security or datagram transmission layer security protocol are to have added group key management sub-protocol, group session and group key management session in original Transport Layer Security or datagram transmission layer security protocol;
Described group of control key management server passes through the group key management sub-protocol to described distribution group session of group member's equipment and key updating session by authentication;
When described group of control key management server detects key updating event, this group control key management server and described by the authentication group member's equipment carry out key updating based on the group key management sub-protocol.
2. in accordance with the method for claim 1, it is characterized in that described distribution group session and key updating session are that the mode of initiatively downloading from described group of control key management server with group member's equipment is carried out under the protection of initial session.
3. according to claim 1 or 2 described methods, it is characterized in that described process of carrying out key updating comprises the steps:
Described group of control key management server detection key update event;
Judge whether that according to described key updating event needs carry out key updating, if then described group of control key management server upgrades the key of described key updating session and group session automatically, otherwise, continue the detection key update event;
Described group of group session and the key updating session of control key management server after described group member's equipment distribution is upgraded.
4. in accordance with the method for claim 3, it is characterized in that group session after the described renewal of described distribution and key updating session are that the mode that pushes with group control key management server is carried out under the protection of key updating session; Or
The mode of initiatively downloading from described group of control key management server with group member's equipment under the protection of key updating session is carried out.
5. in accordance with the method for claim 1, it is characterized in that, also comprise:
When detecting event of failure, described group of control key management server and group member's equipment obtain correlation behavior information alternately under the protection of initial session.
6. multi-party communication security system, this system comprise at least one group control key management server and are attached thereto at least two group member's equipment that connect, it is characterized in that described group of control key management server comprises:
The first Transport Layer Security unit is used to move Transport Layer Security or datagram transmission layer security protocol;
The first group key management sub-protocol unit is connected with the described first Transport Layer Security unit, and operation is based on the group key management sub-protocol of Transport Layer Security or datagram transmission layer security protocol in described group of control key management server;
The session Dispatching Unit, under based on the control of the first group key management sub-protocol unit of Transport Layer Security or datagram transmission layer security protocol framework to distribution group session of group member's equipment and key updating session;
Key updating units, the key of update group session and key updating session automatically under the control of the described first group key management sub-protocol unit based on Transport Layer Security or datagram transmission layer security protocol framework;
Wherein, described Transport Layer Security or datagram transmission layer security protocol are to have added group key management sub-protocol, group session and group key management session in original Transport Layer Security or datagram transmission layer security protocol.
7. according to the described system of claim 6, it is characterized in that described group member's equipment comprises:
The second Transport Layer Security unit is used to move Transport Layer Security or datagram transmission layer security protocol;
The second group key management sub-protocol unit is connected with the described second Transport Layer Security unit, and operation is based on the group key management sub-protocol of Transport Layer Security or datagram transmission layer security protocol in described group member's equipment;
The session receiving element receives the group session and the key updating session of described group of control key management server distribution under based on the control of the second group key management sub-protocol unit of Transport Layer Security or datagram transmission layer security protocol.
8. according to the described system of claim 7, it is characterized in that described group of control key management server also comprises:
The key updating event detecting unit is connected with the described first group key management sub-protocol unit, is used for detecting the multi-party communication process and whether has key updating event.
9. according to claim 7 or 8 described systems, it is characterized in that described session receiving element receives initial group session and key updating session from described group of control key management server in the mode of initiatively downloading under the protection of initial session.
10. according to the described system of claim 9, it is characterized in that described session Dispatching Unit is in group session and the key updating session of mode after described group member's equipment distribution is upgraded to push under the protection of key updating session.
11., it is characterized in that group session and the key updating session of described session receiving element after the mode of downloading with active under the protection of key updating session receives renewal according to the described system of claim 9.
12. a group control key management server, the group that is used for multi-party communication security is controlled and group key management, it is characterized in that this group control key management server comprises:
The first Transport Layer Security unit is used to move Transport Layer Security or datagram transmission layer security protocol;
The first group key management sub-protocol unit is connected with the described first Transport Layer Security unit, and operation is based on the group key management sub-protocol of Transport Layer Security or datagram transmission layer security protocol in described group of control key management server;
The session Dispatching Unit, under the control of the described first group key management sub-protocol unit based on Transport Layer Security or datagram transmission layer security protocol framework to distribution group session of group member's equipment and key updating session;
Key updating units, the key of automatic update group session and key updating session under the control of the first group key management sub-protocol unit;
Wherein, described Transport Layer Security or datagram transmission layer security protocol are to have added group key management sub-protocol, group session and group key management session in original Transport Layer Security or datagram transmission layer security protocol.
13., it is characterized in that this group control key management server also comprises according to described group of control key management server of claim 12:
Detecting unit is connected with the described first group key management sub-protocol unit, is used for detecting the multi-party communication process and whether has key updating event.
14. group member's equipment of realizing secure communication in many ways is characterized in that, this group member's equipment comprises:
The second Transport Layer Security unit is used to move Transport Layer Security or datagram transmission layer security protocol;
The second group key management sub-protocol unit is connected with the described second Transport Layer Security unit, and operation is based on the group key management sub-protocol of Transport Layer Security or datagram transmission layer security protocol in described group member's equipment;
The session receiving element, the group session and the key updating session of the distribution of reception group control key management server under based on the control of the second group key management sub-protocol unit of Transport Layer Security or datagram transmission layer security protocol;
Wherein, described Transport Layer Security or datagram transmission layer security protocol are to have added group key management sub-protocol, group session and group key management session in original Transport Layer Security or datagram transmission layer security protocol.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007800001854A CN101313511B (en) | 2006-08-15 | 2007-05-24 | Method, system and apparatus implementing security of multi-party communication |
Applications Claiming Priority (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2006100370589A CN101127595B (en) | 2006-08-15 | 2006-08-15 | A method, system and device for securing multi-party communication |
| CN200610037058.9 | 2006-08-15 | ||
| CN2007800001854A CN101313511B (en) | 2006-08-15 | 2007-05-24 | Method, system and apparatus implementing security of multi-party communication |
| PCT/CN2007/001689 WO2008022520A1 (en) | 2006-08-15 | 2007-05-24 | A method, system and device for achieving multi-party communication security |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101313511A CN101313511A (en) | 2008-11-26 |
| CN101313511B true CN101313511B (en) | 2011-02-09 |
Family
ID=39095532
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2006100370589A Expired - Fee Related CN101127595B (en) | 2006-08-15 | 2006-08-15 | A method, system and device for securing multi-party communication |
| CN2007800001854A Expired - Fee Related CN101313511B (en) | 2006-08-15 | 2007-05-24 | Method, system and apparatus implementing security of multi-party communication |
Family Applications Before (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2006100370589A Expired - Fee Related CN101127595B (en) | 2006-08-15 | 2006-08-15 | A method, system and device for securing multi-party communication |
Country Status (4)
| Country | Link |
|---|---|
| US (1) | US20090271612A1 (en) |
| EP (1) | EP2056521A4 (en) |
| CN (2) | CN101127595B (en) |
| WO (1) | WO2008022520A1 (en) |
Families Citing this family (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101127595B (en) * | 2006-08-15 | 2011-02-02 | 华为技术有限公司 | A method, system and device for securing multi-party communication |
| US8429400B2 (en) * | 2007-06-21 | 2013-04-23 | Cisco Technology, Inc. | VPN processing via service insertion architecture |
| CN101370004A (en) * | 2007-08-16 | 2009-02-18 | 华为技术有限公司 | Distribution method and multicast apparatus for multicast conversation security policy |
| US8401195B2 (en) * | 2008-09-22 | 2013-03-19 | Motorola Solutions, Inc. | Method of automatically populating a list of managed secure communications group members |
| CN101997835B (en) * | 2009-08-10 | 2014-02-19 | 北京多思科技发展有限公司 | Network security communication method, data security processing device and system for finance |
| CN101997677B (en) * | 2009-08-18 | 2015-01-28 | 中兴通讯股份有限公司 | Management method and device for conference media stream key in IP multimedia subsystem |
| CN101710859B (en) * | 2009-11-17 | 2014-02-12 | 深圳国微技术有限公司 | Authentication key agreement method |
| US9294270B2 (en) * | 2010-01-05 | 2016-03-22 | Cisco Technology, Inc. | Detection of stale encryption policy by group members |
| US9230373B2 (en) * | 2013-02-07 | 2016-01-05 | Honeywell International Inc. | System and method to aggregate control of multiple devices via multicast messages and automatic set up of connections |
| CN103269276B (en) * | 2013-05-22 | 2016-03-16 | 杭州华三通信技术有限公司 | A kind of method and apparatus realizing group membership's devices communicating |
| US9531704B2 (en) * | 2013-06-25 | 2016-12-27 | Google Inc. | Efficient network layer for IPv6 protocol |
| JP6850530B2 (en) * | 2014-10-20 | 2021-03-31 | タタ コンサルタンシー サービシズ リミテッドTATA Consultancy Services Limited | Computer-based systems and computer-based methods for establishing secure sessions and exchanging encrypted data |
| TWI556618B (en) * | 2015-01-16 | 2016-11-01 | Univ Nat Kaohsiung 1St Univ Sc | Network Group Authentication System and Method |
| US9591479B1 (en) * | 2016-04-14 | 2017-03-07 | Wickr Inc. | Secure telecommunications |
| US10341100B2 (en) * | 2017-01-06 | 2019-07-02 | Microsoft Technology Licensing, Llc | Partially encrypted conversations via keys on member change |
| US10320842B1 (en) | 2017-03-24 | 2019-06-11 | Symantec Corporation | Securely sharing a transport layer security session with one or more trusted devices |
| GB201710168D0 (en) | 2017-06-26 | 2017-08-09 | Microsoft Technology Licensing Llc | Introducing middleboxes into secure communications between a client and a sever |
| US10778432B2 (en) | 2017-11-08 | 2020-09-15 | Wickr Inc. | End-to-end encryption during a secure communication session |
| US11101999B2 (en) | 2017-11-08 | 2021-08-24 | Amazon Technologies, Inc. | Two-way handshake for key establishment for secure communications |
| US10855440B1 (en) | 2017-11-08 | 2020-12-01 | Wickr Inc. | Generating new encryption keys during a secure communication session |
| US10541814B2 (en) * | 2017-11-08 | 2020-01-21 | Wickr Inc. | End-to-end encryption during a secure communication session |
| CN112543100B (en) * | 2020-11-27 | 2023-07-28 | 中国银联股份有限公司 | Dynamic key generation method and system |
| CN113612612A (en) * | 2021-09-30 | 2021-11-05 | 阿里云计算有限公司 | Data encryption transmission method, system, equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6215878B1 (en) * | 1998-10-20 | 2001-04-10 | Cisco Technology, Inc. | Group key distribution |
| CN1642073A (en) * | 2004-01-17 | 2005-07-20 | 神州亿品科技(北京)有限公司 | Group key consultation and updating method for wireless LAN |
| CN101127595A (en) * | 2006-08-15 | 2008-02-20 | 华为技术有限公司 | A method, system and device for securing multi-party communication |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6049878A (en) * | 1998-01-20 | 2000-04-11 | Sun Microsystems, Inc. | Efficient, secure multicasting with global knowledge |
| US7089211B1 (en) * | 2000-01-12 | 2006-08-08 | Cisco Technology, Inc. | Directory enabled secure multicast group communications |
| US7412058B2 (en) * | 2003-03-18 | 2008-08-12 | Delphi Technologies, Inc. | Digital receiver and method for receiving secure group data |
| US7774411B2 (en) * | 2003-12-12 | 2010-08-10 | Wisys Technology Foundation, Inc. | Secure electronic message transport protocol |
| US20050129236A1 (en) * | 2003-12-15 | 2005-06-16 | Nokia, Inc. | Apparatus and method for data source authentication for multicast security |
| KR100657273B1 (en) * | 2004-08-05 | 2006-12-14 | 삼성전자주식회사 | Rekeying Method in secure Group in case of user-join and Communicating System using the same |
| US7676679B2 (en) * | 2005-02-15 | 2010-03-09 | Cisco Technology, Inc. | Method for self-synchronizing time between communicating networked systems using timestamps |
-
2006
- 2006-08-15 CN CN2006100370589A patent/CN101127595B/en not_active Expired - Fee Related
-
2007
- 2007-05-24 WO PCT/CN2007/001689 patent/WO2008022520A1/en active Application Filing
- 2007-05-24 EP EP07721262A patent/EP2056521A4/en not_active Withdrawn
- 2007-05-24 CN CN2007800001854A patent/CN101313511B/en not_active Expired - Fee Related
- 2007-05-24 US US11/917,080 patent/US20090271612A1/en not_active Abandoned
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6215878B1 (en) * | 1998-10-20 | 2001-04-10 | Cisco Technology, Inc. | Group key distribution |
| CN1642073A (en) * | 2004-01-17 | 2005-07-20 | 神州亿品科技(北京)有限公司 | Group key consultation and updating method for wireless LAN |
| CN101127595A (en) * | 2006-08-15 | 2008-02-20 | 华为技术有限公司 | A method, system and device for securing multi-party communication |
Non-Patent Citations (2)
| Title |
|---|
| Mark Baugher等,.MSEC Group Key Management Architecture.draft-ietf-msec-gkmarch-08.2004,第1-38页. |
| Mark Baugher等.MSEC Group Key Management Architecture.draft-ietf-msec-gkmarch-08.2004,第1-38页. * |
Also Published As
| Publication number | Publication date |
|---|---|
| EP2056521A1 (en) | 2009-05-06 |
| CN101313511A (en) | 2008-11-26 |
| CN101127595B (en) | 2011-02-02 |
| US20090271612A1 (en) | 2009-10-29 |
| EP2056521A4 (en) | 2010-01-13 |
| WO2008022520A1 (en) | 2008-02-28 |
| CN101127595A (en) | 2008-02-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101313511B (en) | Method, system and apparatus implementing security of multi-party communication | |
| WO2019120091A1 (en) | Identity authentication method and system, and computing device | |
| US9088861B2 (en) | Method and apparatus for bearer and server independent parental control on smartphone, managed by smartphone | |
| CN101106449B (en) | System and method for realizing multi-party communication security | |
| US9819485B2 (en) | Apparatus and method for secure delivery of data utilizing encryption key management | |
| CN105393564A (en) | Communication between host and accessory devices using accessory protocols via wireless transport | |
| CN105027107A (en) | Secure virtual machine migration | |
| CN110289952B (en) | Quantum data link security terminal and security communication network | |
| CN106888206B (en) | Key exchange method, device and system | |
| CN102195930B (en) | Security access method among equipment and communication equipment | |
| US20080271137A1 (en) | Instant communication with tls vpn tunnel management | |
| CN112583802A (en) | Data sharing platform system and equipment based on block chain and data sharing method | |
| WO2022199186A1 (en) | Internet-of-things communication system based on quantum technology | |
| CN102083023A (en) | Method, system and equipment for restarting remote control equipment | |
| CN107493189A (en) | A kind of remote failure processing method and system | |
| CN101810017A (en) | Selective security termination in next generation mobile networks | |
| CN115632779B (en) | Quantum encryption communication method and system based on power distribution network | |
| CN108667820B (en) | Shared electronic whiteboard encryption method, system, electronic equipment and storage medium | |
| CN108289074A (en) | User account login method and device | |
| CN112511892B (en) | Screen sharing method, device, server and storage medium | |
| CN103856938A (en) | Encryption and decryption method, system and device | |
| CN104917750B (en) | A kind of key-course towards SDN and data Layer communication port self-configuration method and its system | |
| CN110719309B (en) | Virtual desktop connection method, proxy device, system, equipment and storage medium | |
| CN113472722A (en) | Data transmission method, storage medium, electronic device and automatic ticket selling and checking system | |
| KR101657893B1 (en) | Encryption method for cloud service and cloud system providing encryption based on user equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110209 Termination date: 20150524 |
|
| EXPY | Termination of patent right or utility model |